MEMORANDUM OF UNDERSTANDING ON THE ROLE OF THE ICO IN RELATION TO 


NEW UK ADEQUACY ASSESSMENTS 


This is a Memorandum of Understanding (“MoU”) between the following Parties: 


The Secretary of State for Digital, Culture, Media & Sport (“DCMS”) 
at 100 Parliament Street, London, SW1A 2BQ 
and 
The Information Commissioner (“ICO”) 
at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 


Contents 


¢ Definitions 


“UK Adequacy Regulations” means regulations, made by the Secretary of State 
under section 17A (general processing) or section 74A (law enforcement processing) 
of the Data Protection Act 2018 (“DPA 2018”), giving effect to a finding by the 
Secretary of State that the specified country ensures an ‘adequate’ level of protection 
of personal data. 

“UK GDPR’” has the same meaning as in section 3(10) of the DPA 2018. 

“UK Adequacy Assessment Work” means all activity by DCMS in preparation for, or 
otherwise relating to, potential or actual adequacy decisions to be taken by the 
Secretary of State for the purposes of the UK Adequacy Regulation-making powers 
conferred by sections 17A and 74A of the DPA 2018. Such activity includes, but is 
not limited to, the activity of DCMS as described in this MoU. 

‘Country’ — refers to a country, territory or sector therein, or international organisation, 
unless the contrary is specified. 


* Background 


Sections 17A and 74A of the DPA 2018 confer powers on the Secretary of State to 
make UK Adequacy Regulations, in relation to general and law enforcement 
processing respectively, for the purposes of domestic law after the Transition Period 
ends at 23.00 GMT on 31 December 2020. 

The effect of UK Adequacy Regulations is to permit personal data to flow from the 
UK to a country specified in the Regulations without any further Chapter V UK GDPR 
or Chapter 5, Part 3, Data Protection Act 2018 (as appropriate) safeguards being 
necessary. 

Decisions relating to the making, review, amendment and revocation of UK 
Adequacy Regulations are, in accordance with the relevant provisions of the DPA 
2018, ultimately a matter for the Secretary of State. Before making UK adequacy 
regulations, the Secretary of State is required to consult the ICO and such other 
persons as the Secretary of State considers appropriate (section 182(2) of the DPA 
2018). This also reflects the requirement, in Article 36(4) of the UK GDPR, for the 
Secretary of State to consult the ICO in such circumstances. 

Article 57(1)(c) of the UK GDPR (Tasks) provides that the ICO must advise 
Parliament, government and others on legislative and administrative measures 


relating to data protection (for general processing), and this is reiterated in section 
115(3) of the DPA18 (for law enforcement processing). 

This task is in addition to the Information Commissioner’s general power to issue an 
opinion on any issues related to data protection (Article 58(3)(b) and section 115(8)). 
Equivalent provisions in respect of law enforcement processing are found at 
paragraphs 1(1)(c) and 2(d) of Schedule 13 to the DPA 2018. 

This MoU only relates to the role of the ICO in relation to potential “new” UK 
Adequacy Regulations (that is, the making of Regulations under the powers in ss. 
17A or 74A of the DPA 2018 for the first time in respect of a country). For the 
avoidance of doubt, this MoU relates to any such UK Adequacy Regulations to 
potentially be made in respect of any country that is, at the time such Regulations are 
to be made, “specified” for the purposes of paragraphs 4(1) or 10(1) of Schedule 21 
to the DPA 2018. 

The Information Commissioner's role in any Adequacy Assessment review process 
(for the purposes of ss.17B or 74B of the DPA 2018 in respect of existing regulations 
made under ss. 17A or 74A of the DPA 2018) will be subject to a separate MoU 
between the parties. 


¢ Purpose and key principles 


This MoU sets out an agreed understanding between the Parties on the role and 
responsibilities of the ICO in relation to UK Adequacy Assessment Work. 


In particular, this MoU describes the agreed understanding between the Parties on 
the: 


* Working-level cooperation and consultation between DCMS and the ICO; 

¢ Status of the cooperation and consultation, including the status of the views of 
the ICO; and 

¢ Respective roles and responsibilities of DCMS and the ICO in the context of 
future decision-making by the Secretary of State in relation to UK Adequacy 
Regulations. 


The Parties agree to the following guiding principles as part of this MoU: 


¢ ‘No surprises’ environment - Close working-level engagement between 
DCMS and ICO teams at all stages to provide both Parties the opportunity to 
discuss in a timely manner issues relating to UK Adequacy Assessment Work 
to help ensure ‘no surprises’ relating to future positions and decision-making. 

¢ Sharing expertise - DCMS recognises that the ICO, as the UK’s supervisory 
authority for data protection, can bring valuable factual information, insights, 
and knowledge in those areas where the ICO is well placed to assist (an 
example would be sharing information relating to the role and effectiveness of 
the relevant country’s regulator). 

* Forward planning - In this context, DCMS recognises that sharing information 
in a timely manner on its programme of UK Adequacy Assessment Work with 
the ICO will inform appropriate management of ICO resourcing in pursuit of 
the ICO’s role set out in this MoU. Similarly, the ICO will share information 
with DCMS to inform DCMS planning of UK Adequacy Assessment work, 
taking account of ICO resourcing and the implications of substantive issues 
raised by ICO 

¢ Independent decision-making by the Secretary of State - As required by s.182 
of the DPA 2018, the Secretary of State will consult the ICO before making 
UK Adequacy Regulations and will take into account, but is not bound by, the 


ICO’s views. DCMS will undertake UK Adequacy Assessment Work and the 
Secretary of State alone retains the decision-making power as to the 
“adequacy” of another country. 

Independence of the ICO - Nothing in this MoU impacts the independence of 
the ICO. 


© Roles and responsibilities 


e The Parties recognise that DCMS and the ICO have different roles: 


The Secretary of State is empowered to make UK Adequacy Regulations in 
respect of a country. To assist with this, a specific team of officials within 
DCMS will undertake UK Adequacy Assessment Work. This includes 
conducting research and carrying out engagement to collect information, 
consulting on this information with relevant stakeholders (including, where 
appropriate, the ICO), undertaking analysis of any information obtained and 
making recommendations to the Secretary of State. The Secretary of State 
will consider recommendations for adequacy decisions in respect of a country 
and undertake any necessary consultation (including with the ICO) before 
taking a decision as to whether or not to make UK Adequacy Regulations. 


The UK Adequacy Assessment Work to be undertaken by DCMS can be 
categorised into four broad phases: (1) Gatekeeping, (2) Assessment, (3) 
Recommendation, and (4) Procedural. 


¢ Gatekeeping is the programme of work associated with making a 
decision as to whether to commence an assessment in respect of a 
country, by reference to numerous policy factors reflecting HMG and 
UK interests. 

¢ Assessment is the programme of work associated with collecting and 
analysing information relating to the level of data protection in another 
country. 

¢ Recommendation is the programme of work associated with the 
DCMS UK Adequacy Assessment team making a recommendation to 
the Secretary of State who will then decide whether to make a finding 
of adequacy and make UK Adequacy Regulations in respect of 
another country. 

¢ Procedural is the programme of work associated with making the 
relevant UK Adequacy Regulations, laying these in Parliament, and 
any subsequent publication of the ICO’s opinion. 


The ICO’s role in relation to UK Adequacy Assessment Work — in line with its 
independent regulatory role and statutory responsibilities — includes: 
¢ During the Gatekeeping and Assessment phases in response to 
being engaged by officials in DCMS: providing comments and advice 
to DCMS officials, including via provision of relevant factual 
information that relate to a country’s data protection laws and 
practices (e.g. the role and effectiveness of the relevant country’s 
regulator); 
¢ During the Recommendation phase: providing a response on the 
draft conclusions of a DCMS assessment so that the Commissioner's 
view can be included in the recommendation to the Secretary of State 
and factored into their decision making. In forming its view, the ICO 


will consider, inter alia, the features of a country’s data protection laws 
and practices in the round, recognising that different countries have 
different ways of ensuring adequate levels of data protection; and 

¢ During the Procedural phase: providing advice and/or an opinion to 
Parliament, including on the process followed and the factors taken 
into consideration by the DCMS Adequacy Assessment team and the 


Secretary of State. 


e The Parties agree, where appropriate, to provide assistance to each other, in light of 


their particular roles, as set out below: 


Share factual research 
and analysis relating to 
countries’ data protection 
laws and practices. 
Share information on 
which countries are being 
considered as potential 
candidates for future 
assessment. 

Provide the list of 
countries agreed by the 
Secretary of State to 
commence assessments 
the ‘pipeline’). 

Request comments and 
supplementary information 
from the ICO. 

Share issues relating to a 
foreign country’s laws or 


Gatekeeping 


practices that differ from 
the UK. 


Recommendation 

(No proposed policy position nor 
any response from the ICO on 
that proposed policy position will 
be taken as the final position for 
either DCMS or the ICO, 
respectively, and neither Party 
will make the other Party’s 
proposed position public (except 
if a disclosure is required by 
law). 


Share a proposed policy 
position with the ICO prior 
to the Secretary of State 
taking a decision. 

Take any appropriate 
follow-up action in light of 
the ICO response to this 
policy position. 

Make recommendations to 
the Secretary of State, 
incorporating the views of 
the ICO. 

Notify the ICO of the 
decision. 


Provide comments and 
advice, including factual 
information to supplement 
DCMS research and 
analysis, especially on 
issues the ICO is well- 
placed to comment on (e.g. 
the practical 
implementation of relevant 
data protection law and 

its understanding of the 
role of the foreign 
regulator). 


Provide comments and 
advice on supplementary 
information to DCMS. 
Provide informal views on 
issues identified by DCMS 
(including what 
recommendations they will 
make in any advice or 
opinion to Parliament). 
Share a response on the 
proposed policy position so 
that this view can be 
included in the 
recommendation to the 
Secretary of State and 
factored into their decision- 
making. 


Procedural Notify the ICO of the Where requested, provide 
proposed timeline for comments to assist DCMS 


laying UK Adequacy with the drafting of relevant 

regulations in Parliament. | adequacy regulations. 
Notify DCMS of the ICO's 
timings for the publication 


of any advice or opinion for 
Parliament after adequacy 
regulations are laid in 
Parliament. 


In respect of all phases of work both Parties agree to meet at agreed intervals to 
discuss: 


¢ The ongoing and future programme of UK Adequacy Assessment Work, 
including sharing information where appropriate on upcoming milestones and 
timelines and; 


¢ International engagement opportunities, including those opportunities where 
HMG and the ICO can appropriately engage with other stakeholders together 
(e.g., in conversations with another country and its regulator(s)). 


In respect of all phases of UK Adequacy Assessment Work both Parties agree, 
where appropriate, to share relevant information relating to resourcing capacity, 
assumptions, and risks so that the programme of UK Adequacy Assessment Work is 
not hindered by a bottleneck due to the DCMS-ICO relationship. 


DCMS will ensure that only appropriate material arising from all phases of the UK 
Adequacy Assessment Work is shared with the ICO, protecting (amongst other 
things) HMG's national security, broader policy and legal interests, whilst still seeking 
to ensure that the ICO has sufficient information for it to provide meaningful and 
detailed comments, advice and opinions to DCMS and to Parliament. Information will 
be shared via the appropriate processes, including appropriate Government IT 
systems, dependent on classification of the material to be exchanged. 


© Confidentiality 


All information will be appropriately classified under the Government Security 
classification system and protected by each party accordingly. 


In particular, the ICO confirms that its usual process will be for it not to publish, 
share, disclose or otherwise disseminate or make available, directly or indirectly, any 
information (including its opinion) about UK Adequacy Assessment Work in relation 
to a particular country, except in exceptional circumstances or if such a disclosure 
(etc.) is required by law, in which case ICO would consult with DCMS prior to such 
disclosure (Save in exceptional circumstances). Notwithstanding the foregoing, in 
accordance with the ICO’s role in the Procedural phase, the ICO will, if appropriate, 
publish any advice and/or opinion relating to the specific UK Adequacy Regulations 
once those UK Adequacy Regulations have been made and laid in Parliament. 


Similarly DCMS confirms that it will not publish, share, disclose or otherwise 
disseminate or make available, directly or indirectly, any information provided to it by 
ICO in relation to UK Adequacy Assessment Work without prior agreement with the 
ICO, except in exceptional circumstances or if such a disclosure (etc.) is required by 


law, in which case DCMS would consult with ICO prior to such disclosure (save in 
exceptional circumstances). 


e Nothing in this MoU shall be taken as in any way affecting any legal obligation or 
duties or powers of either Party, including but not limited to any obligations under the 
Freedom of Information Act 2000. 


e The Parties agree, to the extent permitted by law and where appropriate to do so, to 
co-operate with each other to enable them to comply with their respective legal 
obligations, including but not limited to those arising under the Freedom of 
Information Act 2000. 


¢ In particular, to the extent permitted by law and where appropriate to do so, the 
Parties agree to notify each other in advance of sharing, disclosing or otherwise 
disseminating or making available, directly or indirectly, any information in respect of 
UK Adequacy Assessment Work, including where this is to be done in compliance 
with any legal obligation. 


* Review 


¢ This MOU will be reviewed between 1 July 2021 and 31 December 2021 and 
annually thereafter, unless a review is mutually agreed to be required sooner. 
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Secretary of State for Digital, Culture, Media and Sport 
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Elizabeth Denham CBE 
Information Commissioner 


